The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

When Google employed a digital Bouncer to keep reprobates out of its Android app market, it knew some would slip through the net. Indeed, the tech titan’s heavies forced cybercriminals to come up with ever-smarter ways of breaching Google Play security, as has been proven by a group of hackers, who appear to be Chinese. Their malware, say security experts, has infected at least 200,000 Android phones, possibly as many as 1 million.

In the last month, the hacker crew has placed its malicious software on the store under the guise of a Brain Test app. The application managed to install a backdoor for adding further malware, whilst installing a rootkit, a type of software that situates itself deep in the operating system. On affected Android devices, the rootkit allowed the hackers to ensure that even when the victim deleted the app, it would appear again after reboot, said researchers from security firm Check Point. That means those infected have to go through the somewhat complex process of reflashing the device to truly get rid of the malware.

Brain Test malware infects as many as 1 million Android devices.

Michael Shaulov, head of mobility at Check Point, said the hackers used “a combination of very sophisticated techniques to get past the Google Bouncer”. In the first case, they were able to determine when Bouncer was inspecting them. Bouncer is effectively a sandbox that runs applications in a contained environment to check if they’re doing anything malicious. The bad code in Brain Test would simply not run whenever the malware detected Google server IP addresses had opened the app. What's more, the malicious parts of the Brain Test apps would not run until the hackers initiated attacks from their command and control servers.

Those two techniques were used in the first BrainTest malware, which was removed from Google Play on 24 August. When the hackers got the app back on the store, using a different developer profile, they used a Baidu tool to obfuscate the code to ensure it's underlying purpose couldn't be ascertained by Google machines.

A total of four privilege escalation exploits - now patched - were used by Brain Test used to gain root access on devices, whilst an “anti-uninstall watchdog” used two system applications to look out for the removal of one of its components and subsequently reinstall it.

It appeared that as well as installing further malware on infected phones, Brain Test sought to thrust irritating ads on people’s screens, likely as a way to earn the perpetrators money. Check Point found a random Android application file that contained links to various advertising networks.

The Chinese connection

Shaulov said the use of the Baidu tool indicated the hackers were Chinese, given the language required for using it. A separate analysis carried out for FORBES by Eleven Paths, a Telefonica-owned company, found the actor behind Brain Test was linked to numerous other malware types masquerading as legitimate apps.

Adolfo Lorente, from the ElevenPaths team, and Chema Alonso, now head of security at Telefonica, were able to pinpoint different accounts linked to the cybercriminal group by hunting for "singularities" - technical or circumstantial data that are "singular or unique" to a developer. They used the firm's Tacyt tool for providing intelligence on Google Play threats to find those links.

Lorente found that all the malware used Umeng, the mobile app analytics firm owned by Chinese giant Alibaba, and used the same authenticating key to access the service. They also all used external links pointing to the same Chinese domains. Furthermore, they used image files (PNGs and JPGs) that seemed to be reused across other apps identified as adware - apps that use invasive and aggressive adverts to draw clicks to ensure revenue from their escapades. And the malicious apps carried signing certificates with the same names attached: "zhtiantian".

The apps carrying that last "singularity" included Candy Crazy 2015, Save Eyes, Tiny Puzzle and Crazy Jelly. All have now been removed from Google Play bar one, called Mobogenie. All were developed between 13 June and the 9 September.

“I would bet for a Chinese developer profile belonging to a bigger group of infectors trying to monetize apps through aggressive adware and gathering info from infected devices,” said Lorente.

Google noted that the apps had been removed but had no comment on the other findings.